Well once again corporate addiction to data comes and bites it on the A$$. There is no reason once the identity is validated to retain the information used.
Start off by making the fines well above the cost of doing business. I have seen and worked on so many systems where historical customer data is held for far beyond the customers involvement,in some instances the excuse de juor its too hard to purge. Poor system design, built upon convenient /non-existent legislation creates these honey pots. Add to that better, cheaper faster (the clean up is someone else's problem) and you have the third of the country exposed. I do seriously doubt anything will change here as Govt is on the same data junkie bender big corps are.